Automated and continuous cybersecurity assessment with measurement and scoring

ABSTRACT

Automated and continuous cybersecurity assessment with measurement and scoring. In an embodiment, a cyber-hygiene score is calculated based on data representing asserted cybersecurity controls within an entity system. The cyber-hygiene score indicates an extent of implementation of cybersecurity controls associated with a cybersecurity standard. In addition, automated cybersecurity test(s) are performed on the entity system, and a cyber-breach score is calculated based on the test scores calculated from the automated cybersecurity test(s). The cyber-breach score indicates an effectiveness of the implemented cybersecurity controls. The automated cybersecurity test(s) may comprise an inside-out controls test, and outside-in controls test, and/or a social-engineering test (e.g., phishing simulation). A cybersecurity assessment is generated based on the cyber-hygiene score and the cyber-breach score.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. patent application Ser. No.17/409,436, filed on Aug. 23, 2021, which claims priority to U.S.Provisional Patent App. No. 63/069,468, filed on Aug. 24, 2020, whichare both hereby incorporated herein by reference as if set forth infull.

BACKGROUND Field of the Invention

The embodiments described herein are generally directed to cybersecurityrisk management, and, more particularly, to the automation of acybersecurity assessment.

Description of the Related Art

Virtually every entity that possesses valuable data faces cyber-riskfrom threat actors, ranging from individual hackers, to organizedcriminal gangs, to terrorist groups, to hostile nation states. Thesethreat actors seek to steal intellectual property or other data orotherwise cause disruption or harm to entities for financial or othergain. Naturally, governmental bodies and federal and state regulatorsencourage entities to comply with cybersecurity guidance, such as theNational Institute of Standards and Technology (NIST) cybersecurityframework and standards, and to perform a cybersecurity assessment inorder to identify and mitigate cyber-risk.

In the United States, the Department of Defense (DoD) has taken the leadto go beyond mere encouragement. In particular, the DoD now requires alldefense contractors to implement the Cybersecurity Maturity ModelCertification (CMMC) standard and obtain a third-party compliance auditfor CMMC certification. The CMMC standards have seventeen securitydomains and five levels. Each level has mandated cybersecurity controls(e.g., practices and/or processes). For example, Level 1 requiresimplementation of seventeen cybersecurity controls, Level 3 requiresimplementation of one-hundred-thirty cybersecurity controls, and Level 5requires implementation of one-hundred-seventy-one cybersecuritycontrols.

While the DoD has provided guidance on the CMMC cybersecurity controlsin a Portable Document Format (PDF), implementation of these controlsremains a challenging task. Using a PDF to perform a cybersecurityassessment to ensure compliance and prepare for a third-party audit iscomplex, laborious, and time-consuming. Also, the implementing entity isunable to compare its implementation with the implementations of otherentities. Thus, the cybersecurity assessment is performed manually andblindly. Consequently, proper cyber-risk mitigation is not timelyachieved, and the transfer of cyber-risk from the entity to an insureris not adequately achieved and/or accurately priced.

In addition, the testing of implemented cybersecurity controls on anongoing basis is cost-prohibitive. Most companies that can affordcybersecurity testing only perform an annual penetration test. Thus,security holes may remain undetected for months or even years. Thesesecurity holes create vulnerabilities for threat actors to exploit andare the root cause of the current barrage of data thefts and ransomwareattacks.

For insurance providers, cyber-insurance is difficult to underwrite andprice without adequate insights into cyber-risk profiles of the entitiesto be insured. Currently, to underwrite cyber-insurance, insurancecompanies utilize archaic and inconsistent insurance application formsto request rudimentary information about information security programs.As a result, cyber-insurance underwriting and risk pricing is doneimprecisely. Consequently, cyber-insurance premiums are unaffordable formany entities, which therefore, do not carry cyber-insurance, therebyexposing themselves to cyber-risk.

Thus, there is a need for automated cybersecurity assessments so thatcyber-risk can be quantified, benchmarked, and mitigated, andimplemented cybersecurity controls can be validated and audited, forcompliance, certification, insurance, and/or the like, and controlfailures and security holes can be timely detected and rectified beforea threat actor can exploit them, in order to prevent a data theft orransomware attack. Such technology could better protect entities fromcyber-risk and improve corporate, as well as national, security.

SUMMARY

Accordingly, systems, methods, and non-transitory computer-readablemedia are disclosed for automated cybersecurity assessment.

In an embodiment, a method comprises using at least one hardwareprocessor to: receive data representing asserted cybersecurity controlswithin an entity system; calculate a cyber-hygiene score based on thereceived data, wherein the cyber-hygiene score indicates an extent ofimplementation of a plurality of cybersecurity controls associated withat least one cybersecurity standard; perform one or more automatedcybersecurity tests on the entity system, wherein the one or moreautomated cybersecurity tests comprise at least one of an inside-outcontrols test, an outside-in controls test, or a social-engineeringtest; for each of the one or more automated cybersecurity tests,calculate a test score based on results from the automated cybersecuritytest; calculate a cyber-breach score based on the test scores calculatedfor the one or more automated cybersecurity tests, wherein thecyber-breach score indicates an effectiveness of the implementation ofthe plurality of cybersecurity controls associated with the at least onecybersecurity standard; and generate a cybersecurity assessment based onthe cyber-hygiene score and the cyber-breach score. The method mayfurther comprise using the at least one hardware processor to update thecyber-hygiene score based on the results from the automatedcybersecurity tests.

The one or more automated cybersecurity tests may be a plurality ofautomated cybersecurity tests, wherein calculating the cyber-breachscore comprises combining the tests scores calculated for the pluralityof automated cybersecurity tests. The plurality of automatedcybersecurity tests may comprise the inside-out controls test, which isperformed by a software agent within the entity system, and theoutside-in controls test, which is performed against Internet-facingassets of the entity system from outside the entity system.

The one or more automated cybersecurity tests may comprise theinside-out controls test, wherein the inside-out controls test isexecuted by a software agent on a node within a network of the entitysystem. The method may further comprise using the at least one hardwareprocessor to, in response to a triggering event, trigger the inside-outcontrols test via a call to the software agent. The method may furthercomprise using the at least one hardware processor to instantiate andconfigure a dedicated virtual machine to receive results of theinside-out controls test from the software agent.

The one or more automated cybersecurity tests may comprise theoutside-in controls test, and wherein the outside-in controls test isperformed against Internet-facing assets of the entity system. Themethod may further comprise using the at least one hardware processor toreceive one or more Uniform Resource Locators (URLs), wherein theoutside-in controls test is performed on all of the received one or moreURLs.

The one or more automated cybersecurity tests may comprise thesocial-engineering test, wherein the social-engineering test comprises aphishing simulation against one or more email addresses. The method mayfurther comprise using the at least one hardware processor to: receive aspecification of a landing page; incorporate a hyperlink to the landingpage into an email message; send the email message to each of the one ormore email addresses; and track visits to the landing page. The methodmay further comprise using the at least one hardware processor to hostthe landing page. The method may further comprise using the at least onehardware processor to: receive a specification of an email template; andgenerate the email message from the email template. The method mayfurther comprise using the at least one hardware processor to receive aspecification of a domain, wherein the email message is sent from thedomain. The one or more email addresses may be a plurality of emailaddresses, and the method may further comprise using the at least onehardware processor to receive a specification of the plurality of emailaddresses.

Receiving data may comprise: generating a graphical user interface; andreceiving responses to a questionnaire via the graphical user interface,wherein the questionnaire comprises one or more of questions, requestsfor declarative statements, or requests for supporting documents,wherein the cyber-hygiene score is calculated based on the responses.

The method may further comprise using the at least one hardwareprocessor to assign each of a plurality of portions of a questionnaireto one of a plurality of second users based on a user operation from afirst user, wherein receiving data comprises, for each of the pluralityof second users: generating a graphical user interface; and receivingresponses to the portion of the questionnaire, assigned to the seconduser, via the graphical user interface. The questionnaire may compriseone or more of questions, requests for declarative statements, orrequests for supporting documents.

The method may further comprise determining a probability of acybersecurity breach based on one or more features in one or both of thereceived data or the results from the one or more automatedcybersecurity tests, wherein the cybersecurity assessment is furtherbased on the probability of a cybersecurity breach. The method mayfurther comprise generating a comparison of each of one or more of thecyber-hygiene score, the cyber-breach score, or the probability of acybersecurity breach to a benchmark derived from peers of an entityoperating the entity system, wherein the cybersecurity assessmentcomprises the comparison. The probability of a cybersecurity breach maybe determined using a machine-learning model that is trained to predictthe probability of a cybersecurity breach based on the one or morefeatures. The cybersecurity assessment may comprise the cyber-hygienescore, the cyber-breach score, and the probability of a cybersecuritybreach. The cybersecurity assessment may comprise a graphical userinterface that comprises a hierarchical arrangement of expandable andcollapsible graphical elements that provide access to details for thecyber-hygiene score, the cyber-breach score, the probability of acybersecurity breach, and the comparison.

The method may further comprise detecting one or more failures in theimplementation of the plurality of cybersecurity controls associatedwith the at least one cybersecurity standard, based on one or both ofthe received data or the results from the one or more automatedcybersecurity tests, wherein the cybersecurity assessment identifieseach of the detected one or more failures. The method may furthercomprise, in response to detecting the one or more failures, initiatingat least one alert to one or more recipients.

The one or more automated cybersecurity tests may be a plurality ofautomated cybersecurity tests that comprises the inside-out controlstest, which is performed by a software agent within the entity system,the outside-in controls test, which is performed against Internet-facingassets of the entity system from outside the entity system, and thesocial-engineering test, which comprises a phishing simulation againstone or more email addresses, wherein calculating the cyber-breach scorecomprises combining the tests scores calculated for the plurality ofautomated cybersecurity tests.

Any of the above methods may be embodied in executable software modulesof a processor-based system, such as a server, and/or in executableinstructions stored in a non-transitory computer-readable medium.

BRIEF DESCRIPTION OF THE DRAWINGS

The details of the present invention, both as to its structure andoperation, may be gleaned in part by study of the accompanying drawings,in which like reference numerals refer to like parts, and in which:

FIG. 1 illustrates an example infrastructure, in which one or more ofthe processes described herein, may be implemented, according to anembodiment;

FIG. 2 illustrates an example processing system, by which one or more ofthe processes described herein, may be executed, according to anembodiment;

FIG. 3 illustrates an example data flow between a platform, user system,and entity system, according to an embodiment;

FIG. 4 illustrates an example process for generating a cybersecurityassessment, according to an embodiment;

FIG. 5 illustrates an example data flow for automated inside-outcontrols testing, according to an embodiment;

FIG. 6 illustrates an example flowchart for an automated outside-incontrols test, according to an embodiment; and

FIG. 7 illustrates an example flowchart for an automated phishingsimulation, according to an embodiment.

DETAILED DESCRIPTION

In an embodiment, systems, methods, and non-transitory computer-readablemedia are disclosed for automated cybersecurity assessment. Afterreading this description, it will become apparent to one skilled in theart how to implement the invention in various alternative embodimentsand alternative applications. However, although various embodiments ofthe present invention will be described herein, it is understood thatthese embodiments are presented by way of example and illustration only,and not limitation. As such, this detailed description of variousembodiments should not be construed to limit the scope or breadth of thepresent invention as set forth in the appended claims.

1. System Overview

1.1. Infrastructure

FIG. 1 illustrates an example infrastructure in which one or more of thedisclosed processes may be implemented, according to an embodiment. Theinfrastructure may comprise a platform 110 (e.g., one or more servers)which hosts and/or executes one or more of the various functions,processes, methods, and/or software modules described herein. Platform110 may comprise dedicated servers, or may instead comprise cloudinstances, which utilize shared resources of one or more servers. Theseservers or cloud instances may be collocated and/or geographicallydistributed. Platform 110 may also comprise or be communicativelyconnected to a server application 112 and/or one or more databases 114.In addition, platform 110 may be communicatively connected to one ormore user systems 130 via one or more networks 120. Platform 110 mayalso be communicatively connected to one or more entity systems 140(e.g., to be assessed) and/or one or more third-party systems 150 (e.g.,operated by auditors, insurance brokers, insurance providers, etc.) viaone or more networks 120.

Network(s) 120 may comprise the Internet, and platform 110 maycommunicate with user system(s) 130, entity system(s) 140, and/orthird-party systems 150 through the Internet using standard transmissionprotocols, such as HyperText Transfer Protocol (HTTP), HTTP Secure(HTTPS), File Transfer Protocol (FTP), FTP Secure (FTPS), Secure ShellFTP (SFTP), and the like, as well as proprietary protocols. Whileplatform 110 is illustrated as being connected to various systemsthrough a single set of network(s) 120, it should be understood thatplatform 110 may be connected to the various systems via different setsof one or more networks. For example, platform 110 may be connected to asubset of user systems 130, entity systems 140, and/or third-partysystems 150 via the Internet, but may be connected to one or more otheruser systems 130, entity systems 140, and/or third-party systems 150 viaan intranet. Furthermore, while only a few user systems 130, entitysystems 140, and third-party systems, one server application 112, andone set of database(s) 114 are illustrated, it should be understood thatthe infrastructure may comprise any number of user systems, entitysystems, third-party systems, server applications, and databases.

Entity system(s) 140 may comprise any type or types of computing devicescapable of wired and/or wireless communication. However, it iscontemplated that an entity system 140 would primarily comprise a server(e.g., supporting a website) or network (e.g., private intranet) that isoperated by an entity. As used herein, the term “entity” may refer toany company, corporation, partnership, government agency, non-profit orfor-profit organization, department, subsidiary, affiliate, businessunit, individual, group of individuals, or any other legal entity,person, or group of people that operates a system or network that mightbe a target of a threat actor. A typical entity might be a corporation,university, government agency, defense contractor, bank, law firm,hospital, or the like that possesses sensitive and valuable information.

User system(s) 130 may also comprise any type or types of computingdevices capable of wired and/or wireless communication, includingwithout limitation, desktop computers, laptop computers, tabletcomputers, smart phones or other mobile phones, servers, game consoles,televisions, set-top boxes, electronic kiosks, point-of-sale terminals,and/or the like. However, it is contemplated that a user system 130would primarily comprise a personal computer or mobile device that auser, representing an entity or responsible for some aspect of theentity's cybersecurity controls (e.g., a network administrator of theentity), utilizes to access one or more services provided by platform110 (e.g., via a graphical user interface of a website supported byplatform 110).

Platform 110 may comprise web servers which host one or more websitesand/or web services. In embodiments in which a website is provided, thewebsite may comprise a graphical user interface, including, for example,one or more screens (e.g., webpages) generated in HyperText MarkupLanguage (HTML) or other language. Platform 110 transmits or serves oneor more screens of the graphical user interface in response to requestsfrom user system(s) 130. In some embodiments, these screens may beserved in the form of a wizard, in which case two or more screens may beserved in a sequential manner, and one or more of the sequential screensmay depend on an interaction of the user or user system 130 with one ormore preceding screens. The requests to platform 110 and the responsesfrom platform 110, including the screens of the graphical userinterface, may both be communicated through network(s) 120, which mayinclude the Internet, using standard communication protocols (e.g.,HTTP, HTTPS, etc.). These screens (e.g., webpages) may comprise acombination of content and elements, such as text, images, videos,animations, references (e.g., hyperlinks), frames, inputs (e.g.,textboxes, text areas, checkboxes, radio buttons, drop-down menus,buttons, forms, etc.), scripts (e.g., JavaScript), and the like,including elements comprising or derived from data stored in one or moredatabases (e.g., database(s) 114) that are locally and/or remotelyaccessible to platform 110. Platform 110 may also respond to otherrequests from user system(s) 130.

Platform 110 may further comprise, be communicatively coupled with, orotherwise have access to one or more database(s) 114. For example,platform 110 may comprise one or more database servers which manage oneor more databases 114. A user system 130 or server application 112executing on platform 110 may submit data (e.g., user data, form data,etc.) to be stored in database(s) 114, and/or request access to datastored in database(s) 114. Any suitable database may be utilized,including without limitation MySQL™, Oracle™ IBM™, Microsoft SQL™,Access™, PostgreSQL™, and the like, including cloud-based databases andproprietary databases. Data may be sent to platform 110, for instance,using the well-known POST request supported by HTTP, via FTP, and/or thelike. This data, as well as other requests, may be handled, for example,by server-side web technology, such as a servlet or other softwaremodule (e.g., comprised in server application 112), executed by platform110.

In embodiments in which a web service is provided, platform 110 mayreceive requests from user system(s) 130, entity system(s) 140, and/orthird-party systems 150 and provide responses in eXtensible MarkupLanguage (XML), JavaScript Object Notation (JSON), and/or any othersuitable or desired format. In such embodiments, platform 110 mayprovide an application programming interface (API) which defines themanner in which user system(s) 130, entity system(s) 140, andthird-party system(s) 150 may interact with the web service. Thus, usersystem(s) 130, entity system(s) 140, and third party system(s) 150(which may themselves comprise servers), can define their own userinterfaces, and rely on the web service to implement or otherwiseprovide the backend processes, methods, functionality, storage, and/orthe like, described herein. For example, in such an embodiment, a clientapplication 132, executing on one or more user system(s) 130 andpotentially using a local database 134, may interact with a serverapplication 112 executing on platform 110 to execute one or more or aportion of one or more of the various functions, processes, methods,and/or software modules described herein. In an embodiment, clientapplication 132 may utilize a local database 134 for storing datalocally on user system 130. Client application 132 may be “thin,” inwhich case processing is primarily carried out server-side by serverapplication 112 on platform 110. A basic example of a thin clientapplication 132 is a browser application, which simply requests,receives, and renders webpages at user system(s) 130, while serverapplication 112 on platform 110 is responsible for generating thewebpages and managing database functions. Alternatively, the clientapplication may be “thick,” in which case processing is primarilycarried out client-side by user system(s) 130. It should be understoodthat client application 132 may perform an amount of processing,relative to server application 112 on platform 110, at any point alongthis spectrum between “thin” and “thick,” depending on the design goalsof the particular implementation. In any case, the software describedherein, which may wholly reside on either platform 110 (e.g., in whichcase server application 112 performs all processing) or user system(s)130 (e.g., in which case client application 132 performs all processing)or be distributed between platform 110 and user system(s) 130 (e.g., inwhich case server application 112 and client application 132 bothperform processing), can comprise one or more executable softwaremodules comprising instructions that implement one or more of theprocesses, methods, or functions described herein.

1.2. Example Processing Device

FIG. 2 is a block diagram illustrating an example wired or wirelesssystem 200 that may be used in connection with various embodimentsdescribed herein. For example, system 200 may be used as or inconjunction with one or more of the functions, processes, or methods(e.g., to store and/or execute one or more software modules) describedherein, and may represent components of platform 110, user system(s)130, entity system(s) 140, third-party system(s) 150, and/or otherprocessing devices described herein. System 200 can be a server or anyconventional personal computer, or any other processor-enabled devicethat is capable of wired or wireless data communication. Other computersystems and/or architectures may be also used, as will be clear to thoseskilled in the art.

System 200 preferably includes one or more processors 210. Processor(s)210 may comprise a central processing unit (CPU). Additional processorsmay be provided, such as a graphics processing unit (GPU), an auxiliaryprocessor to manage input/output, an auxiliary processor to performfloating-point mathematical operations, a special-purpose microprocessorhaving an architecture suitable for fast execution of signal-processingalgorithms (e.g., digital-signal processor), a slave processorsubordinate to the main processing system (e.g., back-end processor), anadditional microprocessor or controller for dual or multiple processorsystems, and/or a coprocessor. Such auxiliary processors may be discreteprocessors or may be integrated with processor 210. Examples ofprocessors which may be used with system 200 include, withoutlimitation, the Pentium® processor, Core i7® processor, and Xeon®processor, all of which are available from Intel Corporation of SantaClara, Calif.

Processor 210 is preferably connected to a communication bus 205.Communication bus 205 may include a data channel for facilitatinginformation transfer between storage and other peripheral components ofsystem 200. Furthermore, communication bus 205 may provide a set ofsignals used for communication with processor 210, including a data bus,address bus, and/or control bus (not shown). Communication bus 205 maycomprise any standard or non-standard bus architecture such as, forexample, bus architectures compliant with industry standard architecture(ISA), extended industry standard architecture (EISA), Micro ChannelArchitecture (MCA), peripheral component interconnect (PCI) local bus,standards promulgated by the Institute of Electrical and ElectronicsEngineers (IEEE) including IEEE 488 general-purpose interface bus (GPM),IEEE 696/S-100, and/or the like.

System 200 preferably includes a main memory 215 and may also include asecondary memory 220. Main memory 215 provides storage of instructionsand data for programs executing on processor 210, such as one or more ofthe functions and/or modules discussed herein. It should be understoodthat programs stored in the memory and executed by processor 210 may bewritten and/or compiled according to any suitable language, includingwithout limitation C/C++, Java, JavaScript, Perl, Visual Basic, .NET,and the like. Main memory 215 is typically semiconductor-based memorysuch as dynamic random access memory (DRAM) and/or static random accessmemory (SRAM). Other semiconductor-based memory types include, forexample, synchronous dynamic random access memory (SDRAM), Rambusdynamic random access memory (RDRAM), ferroelectric random access memory(FRAM), and the like, including read only memory (ROM).

Secondary memory 220 may optionally include an internal medium 225and/or a removable medium 230. Removable medium 230 is read from and/orwritten to in any well-known manner. Removable storage medium 230 maybe, for example, a magnetic tape drive, a compact disc (CD) drive, adigital versatile disc (DVD) drive, other optical drive, a flash memorydrive, and/or the like.

Secondary memory 220 is a non-transitory computer-readable medium havingcomputer-executable code (e.g., disclosed software modules) and/or otherdata stored thereon. The computer software or data stored on secondarymemory 220 is read into main memory 215 for execution by processor 210.

In alternative embodiments, secondary memory 220 may include othersimilar means for allowing computer programs or other data orinstructions to be loaded into system 200. Such means may include, forexample, a communication interface 240, which allows software and datato be transferred from external storage medium 245 to system 200.Examples of external storage medium 245 may include an external harddisk drive, an external optical drive, an external magneto-opticaldrive, and/or the like. Other examples of secondary memory 220 mayinclude semiconductor-based memory, such as programmable read-onlymemory (PROM), erasable programmable read-only memory (EPROM),electrically erasable read-only memory (EEPROM), and flash memory(block-oriented memory similar to EEPROM).

As mentioned above, system 200 may include a communication interface240. Communication interface 240 allows software and data to betransferred between system 200 and external devices (e.g. printers),networks, or other information sources. For example, computer softwareor executable code may be transferred to system 200 from a networkserver (e.g., platform 110) via communication interface 240. Examples ofcommunication interface 240 include a built-in network adapter, networkinterface card (NIC), Personal Computer Memory Card InternationalAssociation (PCMCIA) network card, card bus network adapter, wirelessnetwork adapter, Universal Serial Bus (USB) network adapter, modem, awireless data card, a communications port, an infrared interface, anIEEE 1394 fire-wire, and any other device capable of interfacing system200 with a network (e.g., network(s) 120) or another computing device.Communication interface 240 preferably implements industry-promulgatedprotocol standards, such as Ethernet IEEE 802 standards, Fiber Channel,digital subscriber line (DSL), asynchronous digital subscriber line(ADSL), frame relay, asynchronous transfer mode (ATM), integrateddigital services network (ISDN), personal communications services (PCS),transmission control protocol/Internet protocol (TCP/IP), serial lineInternet protocol/point to point protocol (SLIP/PPP), and so on, but mayalso implement customized or non-standard interface protocols as well.

Software and data transferred via communication interface 240 aregenerally in the form of electrical communication signals 255. Thesesignals 255 may be provided to communication interface 240 via acommunication channel 250. In an embodiment, communication channel 250may be a wired or wireless network (e.g., network(s) 120), or anyvariety of other communication links. Communication channel 250 carriessignals 255 and can be implemented using a variety of wired or wirelesscommunication means including wire or cable, fiber optics, conventionalphone line, cellular phone link, wireless data communication link, radiofrequency (“RF”) link, or infrared link, just to name a few.

Computer-executable code (e.g., computer programs, such as the disclosedsoftware modules) is stored in main memory 215 and/or secondary memory220. Computer programs can also be received via communication interface240 and stored in main memory 215 and/or secondary memory 220. Suchcomputer programs, when executed, enable system 200 to perform thevarious functions of the disclosed embodiments as described elsewhereherein.

In this description, the term “computer-readable medium” is used torefer to any non-transitory computer-readable storage media used toprovide computer-executable code and/or other data to or within system200. Examples of such media include main memory 215, secondary memory220 (including internal memory 225, removable medium 230, and externalstorage medium 245), and any peripheral device communicatively coupledwith communication interface 240 (including a network information serveror other network device). These non-transitory computer-readable mediaare means for providing executable code, programming instructions,software, and/or other data to system 200.

In an embodiment that is implemented using software, the software may bestored on a computer-readable medium and loaded into system 200 by wayof removable medium 230, I/O interface 235, or communication interface240. In such an embodiment, the software is loaded into system 200 inthe form of electrical communication signals 255. The software, whenexecuted by processor 210, preferably causes processor 210 to performone or more of the processes and functions described elsewhere herein.

In an embodiment, I/O interface 235 provides an interface between one ormore components of system 200 and one or more input and/or outputdevices. Example input devices include, without limitation, sensors,keyboards, touch screens or other touch-sensitive devices, cameras,biometric sensing devices, computer mice, trackballs, pen-based pointingdevices, and/or the like. Examples of output devices include, withoutlimitation, other processing devices, cathode ray tubes (CRTs), plasmadisplays, light-emitting diode (LED) displays, liquid crystal displays(LCDs), printers, vacuum fluorescent displays (VFDs), surface-conductionelectron-emitter displays (SEDs), field emission displays (FEDs), and/orthe like. In some cases, an input and output device may be combined,such as in the case of a touch panel display (e.g., in a smartphone,tablet, or other mobile device).

System 200 may also include optional wireless communication componentsthat facilitate wireless communication over a voice network and/or adata network (e.g., in the case of user system 130). The wirelesscommunication components comprise an antenna system 270, a radio system265, and a baseband system 260. In system 200, radio frequency (RF)signals are transmitted and received over the air by antenna system 270under the management of radio system 265.

In an embodiment, antenna system 270 may comprise one or more antennaeand one or more multiplexors (not shown) that perform a switchingfunction to provide antenna system 270 with transmit and receive signalpaths. In the receive path, received RF signals can be coupled from amultiplexor to a low noise amplifier (not shown) that amplifies thereceived RF signal and sends the amplified signal to radio system 265.

In an alternative embodiment, radio system 265 may comprise one or moreradios that are configured to communicate over various frequencies. Inan embodiment, radio system 265 may combine a demodulator (not shown)and modulator (not shown) in one integrated circuit (IC). Thedemodulator and modulator can also be separate components. In theincoming path, the demodulator strips away the RF carrier signal leavinga baseband receive audio signal, which is sent from radio system 265 tobaseband system 260.

If the received signal contains audio information, then baseband system260 decodes the signal and converts it to an analog signal. Then thesignal is amplified and sent to a speaker. Baseband system 260 alsoreceives analog audio signals from a microphone. These analog audiosignals are converted to digital signals and encoded by baseband system260. Baseband system 260 also encodes the digital signals fortransmission and generates a baseband transmit audio signal that isrouted to the modulator portion of radio system 265. The modulator mixesthe baseband transmit audio signal with an RF carrier signal, generatingan RF transmit signal that is routed to antenna system 270 and may passthrough a power amplifier (not shown). The power amplifier amplifies theRF transmit signal and routes it to antenna system 270, where the signalis switched to the antenna port for transmission.

Baseband system 260 is also communicatively coupled with processor(s)210. Processor(s) 210 may have access to data storage areas 215 and 220.Processor(s) 210 are preferably configured to execute instructions(i.e., computer programs, such as the disclosed software modules) thatcan be stored in main memory 215 or secondary memory 220. Computerprograms can also be received from baseband processor 260 and stored inmain memory 210 or in secondary memory 220, or executed upon receipt.Such computer programs, when executed, enable system 200 to perform thevarious functions of the disclosed embodiments.

1.3. Data Flow

FIG. 3 illustrates an example data flow between platform 110, a usersystem 130, and an entity system 140, according to an embodiment. Asillustrated, platform 110 may comprise an assessment server 310 and atesting server 320. Assessment server 310 and/or testing server 320 maybe implemented as software services on the same server device or in thecloud, or as separate hardware devices. Assessment server 310 utilizes agraphical user interface (GUI) 312 to collect data 314 from usersystem(s) 130 and store data 314 in database 114, and testing server 320tests the cybersecurity of entity system 140 using one or more tests 322and store the test results 324 of tests 322 in database 114. It shouldbe understood that, in this context, each user system 130 may beoperated by the same entity as entity system 140. In other words, data314 is collected from one or more user system(s) 130 of the entity, andtest results 324 are collected from entity system 140 of the sameentity. Assessment server 310 utilizes data 314 and/or test results 324to generate a cybersecurity assessment 316, which may be provided, viagraphical user interface 312, to a user system 130 associated with auser representing the entity and/or a third-party user system 130 (e.g.,of an auditor, insurance broker, insurance provider, or other thirdparty).

In a contemplated scenario, an entity, as represented by one or moreusers of one or more user systems 130, would input data 314 toassessment server 310 using GUI 312. Data 314 may be collected over oneor a plurality of sessions and stored in database 114, for example,according to a workflow described elsewhere herein. Based on data 314,assessment server 310 or testing server 320 may devise or select one ormore tests 322 that are automatically run against entity system 140 overa time period, with the test results 324 stored in database 114.Assessment server 310 may analyze the data, stored in database 114 forthe entity, including data 314 and test results 324 to generate acybersecurity assessment 316 of the entity.

Cybersecurity assessment 316 may comprise one or more scoresrepresenting the cybersecurity or cyber-risk of the entity and/or maycompare the score(s) representing the cybersecurity or cyber-risk of theentity to benchmark score(s) derived from the entity's peers. As usedherein, the term “peers” may refer to organizations (e.g., corporations)that are completely separate from the entity or entities within aseparate organization, other entities within the same organization asthe entity (e.g., business units or divisions within the sameorganization, a subsidiary, parent, or other affiliate of the entity,etc.), the entity's suppliers, the entity's customers, and/or the like.Cybersecurity assessment 316 may then be provided to the entity (e.g., auser representing the entity) and/or to a third-party auditor, insurancebroker, or insurance provider (e.g., upon authorization of a userrepresenting the entity). In the case that cybersecurity assessment 316is provided to a third party, cybersecurity assessment 316 may beprovided to a user of a user system 130 representing the third partyand/or directly to a third-party system 150 (e.g., via an API ofthird-party system 150). The third party may be an insurance broker orinsurance provider that can utilize cybersecurity assessment 316 tounderwrite the entity and provide a competitive and informed quote oninsurance premiums. Alternatively, the third party could be an auditorthat utilizes cybersecurity assessment 316 to facilitate a successfuland thorough audit and certification.

In should be understood that the data flow, illustrated in FIG. 3, maybe performed and managed by platform 110 for a plurality of differententities. In this case, database 114 may associate data 314 and testresults 324 with specific entities (e.g., using a unique entityidentifier to link stored data structures). In addition, eachcybersecurity assessment 316 may be similarly associated with a specificentity. Thus, users may only have access to data 314, tests results 324,and cybersecurity assessments 316 that are associated with the specificentity with which the user is also associated (e.g., via a useraccount). Platform 110 may enforce these access limits using standardmechanisms for performing authentication (e.g., username and password,one-factor or two-factor authentication, etc.) and establishingpermissions and roles.

2. Process Overview

Embodiments of processes for automating a cybersecurity assessment willnow be described in detail. It should be understood that the describedprocesses may be embodied in one or more software modules that areexecuted by one or more hardware processors (e.g., processor 210), forexample, as the software discussed herein (e.g., assessment server 310and/or testing server 320). The described processes may be implementedas instructions represented in source code, object code, and/or machinecode. These instructions may be executed directly by hardwareprocessor(s) 210, or alternatively, may be executed by a virtual machineoperating between the object code and hardware processors 210. Inaddition, the disclosed software may be built upon or interfaced withone or more existing systems.

Alternatively, the described processes may be implemented as a hardwarecomponent (e.g., general-purpose processor, integrated circuit (IC),application-specific integrated circuit (ASIC), digital signal processor(DSP), field-programmable gate array (FPGA) or other programmable logicdevice, discrete gate or transistor logic, etc.), combination ofhardware components, or combination of hardware and software components.To clearly illustrate the interchangeability of hardware and software,various illustrative components, blocks, modules, circuits, and stepsare described herein generally in terms of their functionality. Whethersuch functionality is implemented as hardware or software depends uponthe particular application and design constraints imposed on the overallsystem. Skilled persons can implement the described functionality invarying ways for each particular application, but such implementationdecisions should not be interpreted as causing a departure from thescope of the invention. In addition, the grouping of functions within acomponent, block, module, circuit, or step is for ease of description.Specific functions or steps can be moved from one component, block,module, circuit, or step to another without departing from theinvention.

Furthermore, while the processes, described herein, are illustrated witha certain arrangement and ordering of subprocesses, each process may beimplemented with fewer, more, or different subprocesses and a differentarrangement and/or ordering of subprocesses. For example, one or more ofthe illustrated or described subprocesses may be omitted and/or one ormore non-illustrated or undescribed subprocesses may be added. Inaddition, it should be understood that any subprocess, which does notdepend on the completion of another subprocess, may be executed before,after, or in parallel with that other independent subprocess, even ifthe subprocesses are described or illustrated in a particular order.

FIG. 4 illustrates an example process 400 for generating cybersecurityassessment 316, according to an embodiment. Process 400 may beimplemented by platform 110, including assessment server 310 and/ortesting server 320. For example, subprocesses 410, 420, 440, and 450 maybe performed by assessment server 310, and subprocess 430 may beperformed by testing server 320. However, other arrangements andconfigurations for implementing process 400 are also possible.

In an embodiment, assessment server 310 may provide different types ofcybersecurity assessments, depending on the intended usage. For example,a first type of assessment may be provided for internal cyber-riskmanagement, a second type of assessment may be provided for auditing ofcompliance with one standard, a third type of assessment may be providedfor auditing of compliance with a different standard, a fourth type ofassessment may be provided for requesting an insurance quote, and/or thelike. Alternatively, the process 400 may be the same, regardless of theintended usage of cybersecurity assessment 316. However, in such a case,cybersecurity assessment 316 may be sectioned so that the portion(s) ofcybersecurity assessment 316 necessary for the intended usage may beeasily extracted and provided to a third party.

In subprocess 410, data 314 is received, for example, after theinitiation of a new cybersecurity assessment by a supervisory userrepresenting an entity. Data 314 may comprise any data that relate tocybersecurity risks for an entity. Data 314 may be collected, viagraphical user interface 312, according to a workflow. For example, inan embodiment, assessment server 310 provides one or more questionnairesthat each comprise one or more questions (e.g., regarding acybersecurity control) and/or requests (e.g., for a declarativestatement or verification/confirmation of a declarative statement, toupload supporting documents, etc.) related to the cybersecurity controlsof the entity. Cybersecurity controls may comprise cybersecuritypractices and/or cybersecurity processes, and cybersecurity controlsrelated to the entity may comprise the cybersecurity controls ofspecific business units within the entity, divisions within the entity,subsidiaries, parents, or other affiliates of the entity, the entity'ssuppliers, the entity's customers, and/or the like. In an embodimentthat provides different types of cybersecurity assessments, thequestionnaires—and therefore, data 314 that is collected using thequestionnaires—may differ depending on the type of cybersecurityassessment being performed.

A supervisory user may assign different questionnaires and/or differentportions of the one or more questionnaires to one or a plurality ofother users (e.g., employees of the entity, including business units ordivisions within the entity, employees of a subsidiary, parent, or otheraffiliate of the entity, employees of an entity's suppliers orcustomers, or other responsible individuals best suited to respond tothe questionnaire) via graphical user interface 312. As used herein, theterm “questionnaire” may refer to a plurality of separatequestionnaires, or a portion (e.g., section) or a plurality of portionsof one or a plurality of questionnaires. Thus, a questionnaire or aplurality of questionnaires for a given cybersecurity assessment may bedivided into a plurality of assignable questionnaires that can each beindividually assigned to a user, independently from the otherquestionnaires. A questionnaire may comprise a plurality of questions tobe answered, requests for declarative statements, requests forsupporting documents, and/or the like, and may be divided by separatingthese questions and/or requests, individually, in groups, and/orsections, into separate questionnaires that can then be assigned todifferent users.

In an embodiment, the questionnaire for a given cybersecurity assessmentmay be separated and assigned according to security domains. Forexample, different portions (e.g., sections or groups ofquestions/requests) of the questionnaire may relate to differentsecurity domains. The supervisory user may assign one or more securitydomains to specific users, and assessment server 310 may automaticallyextract the portion(s) of the questionnaire that are associated witheach security domain into separate questionnaires and assign thoseseparate questionnaires to the users to which they were assigned. Thesupervisory user may also specify a common or independent due date forthe completion of each assigned questionnaire, or the system mayautomatically set a due date for each assigned questionnaire. Assessmentserver 310 may store the assignment of each security domain orquestionnaire, along with any associated due dates, in database 114.

Assessment server 310 may provide the assigned questionnaires, viagraphical user interface 312, to the users to which they were assigned.The assigned users may submit responses to their assigned questionnairesvia one or more inputs of graphical user interface 312. The responsesmay comprise answers to questions, declarative statements, supportingdocuments, and/or the like. Assessment server 310 receives and storeseach assigned user's response(s) to their assigned questionnaire(s) indatabase 114.

Assessment server 310 may monitor the due dates for each assignedquestionnaire, and, if an assigned questionnaire has not been completedwithin a time period before the due date, on the due date, or after thedue date has passed, send a due-date reminder (e.g., via email message)to the user to which the questionnaire was assigned. Assessment server310 may also track the progress (e.g., as a percentage) in completingthe questionnaire for each initiated cybersecurity assessment.Assessment server 310 may provide a dashboard in graphical userinterface 312 that displays the progress in completing thequestionnaire, as well as details about the collected responses and/orthe like. It should be understood that completion of the questionnairemeans that all responses to the questionnaire have been returned, andthat the progress may be defined as the percentage or ratio of thenumber of collected responses to the total number of questions andrequests in the questionnaire.

In an embodiment, assessment server 310 may prompt the supervisory userto approve or reject the completed questionnaire and/or the assignedquestionnaires as they are completed. Rejected questionnaires may bereturned to the assigned users (e.g., via the assigned user's dashboard)for rectification.

In an embodiment, assessment server 310 may provide a one-click copyfeature that enables a user to import a completed questionnaire (i.e.,with all responses) from a past assessment into a new assessment. Thus,a new cybersecurity assessment can be jump-started by importing data 314from a prior (and preferably, recent) cybersecurity assessment, therebysaving times and resources.

In subprocess 420, assessment server 310 may calculate a cyber-hygienescore based on the data 314, collected in subprocess 410 and stored indatabase 114. The cyber-hygiene score may be computed after allresponses to the questionnaire have been collected (e.g., and approvedby the supervisory user) or as the responses to the questionnaire arecollected. In particular, the cyber-hygiene score is based on ananalysis of the responses, including answers to questions, declarativestatements, and supporting documents, collected in data 314 insubprocess 410. The cyber-hygiene score represents a level ofcyber-hygiene practiced by the entity being assessed and the entity'ssusceptibility to cyber-risk. It should be understood that cyber-hygienerefers to the controls (e.g., practices and processes) that the entityundertakes to maintain system health and online security. Thecyber-hygiene score represents a level of compliance with, and theextent of implementation of, cybersecurity controls.

In an embodiment, the cyber-hygiene score may be derived based on thecybersecurity controls, associated with the cybersecurity standard beingused for the cybersecurity assessment, that have been implemented by theentity, as determined from data 314. Each cybersecurity control (e.g.,practice or process) may be assigned a weight. It should be understoodthat different cybersecurity standards may comprise differentcombinations of cybersecurity controls and/or assigned weights. Eachcybersecurity control being assessed may be assigned a weight having aninteger value ranging from 1 to N (e.g., 1 to 5), with higher weightsindicating greater importance to the given cybersecurity standard andlower weights indicating less importance to the given cybersecuritystandard. Alternatively, all of the cybersecurity controls may beweighted equally (e.g., a weight of 1), in which case the cybersecuritycontrols are essentially unweighted. The weights for all cybersecuritycontrols, which data 314 indicate have been implemented by the entity,may be summed to produce the cyber-hygiene score. In addition, in anembodiment, for one or more of the cybersecurity standards, the weightsfor all cybersecurity controls, which data 314 indicate have not beenimplemented by the entity, may be summed and subtracted from thecyber-hygiene score to produce the final cyber-hygiene score. As anexample, for the NIST 800-171 cybersecurity standard, there are 110cybersecurity controls. If each cybersecurity control has a weight of 1,the cyber-hygiene score may range from −110 to +110. Alternatively, inan embodiment, for a given cybersecurity control, the weight that isadded for the presence of the cybersecurity control may be differentthan the weight that is subtracted for the absence of the cybersecuritycontrol (e.g., the weight for the presence may be 1, whereas the weightfor the absence may be 1, 3, 5, etc.). It should be understood that thecyber-hygiene score may be normalized to a scale that is easier tocomprehend and/or combine with other scores (e.g., a scale of 0 to 100,a scale of 0 to 1, etc.).

In subprocess 430, test server 320 may execute one or more tests 322against the entity system 140 being assessed, to produce test results324. Tests 322 may be designed to validate or assess actual compliancewith the cybersecurity controls represented or otherwise indicated indata 314 (e.g., in the responses to the questionnaire). In analternative or additional embodiment, test results 324 may be imported,via an API call, from an external system, such as entity system 140 or athird-party system 150, that performed tests 322. In any case, testresults 324 may be mapped to the same security domains as are present inthe questionnaire by which data 314 was collected. In other words, testresults 324 may be mapped to corresponding data 314. This mapping can beused to identify the current statuses of, and/or to validate, thecybersecurity controls represented in the responses in data 314.

Examples of tests 322 include, without limitation, automated controlstests, vulnerability scans, penetration tests, phishing tests, and/orthe like. In a particular implementation, tests 322 comprise anautomated, inside-out penetration test of implemented controls insideentity system 140, an automated, outside-in scan from outside entitysystem 140 of Internet-facing information technology (IT) assets toidentify unpatched vulnerabilities and security weaknesses in any webapplications hosted by entity system 140, and an automated phishingsimulation against users of entity system 140 to identify susceptibilityof entity system 140 to social engineering.

In subprocess 440, assessment server 310 may calculate a cyber-breachscore based on test results 324. In an embodiment, each test result 324may be converted into a test score, and the cyber-breach score may becomputed as an aggregation of these test scores. All of the test scoresmay be scaled to the same or similar range of values (e.g., zero to onehundred), so that they can be more easily combined. For example, thecyber-breach score may be an average (e.g., unweighted or weightedaverage) of all of the test scores. As discussed elsewhere herein, acyber-penetration score, cyber-scan score, and cyber-phishing score maybe calculated based on the results of different tests 322, and thecyber-breach score may be calculated as the average of thecyber-penetration, cyber-scan, and cyber-phishing scores.

In addition to or instead of calculating a separate cyber-breach score,assessment server 310 may update the cyber-hygiene score, initiallycalculated in subprocess 420, based on test results 324. In particular,test results 324 may be used to validate the responses concerning theentity's cybersecurity controls in data 314. For example, the initialcyber-hygiene score may be based on data 314 under the assumption thatthe responses are true. However, if tests results 324 demonstrate that aportion of the responses overstate the entity's cybersecurity controls,the cyber-hygiene score may be revised downward to reflect thisunderperformance. Similarly, if test results 324 subsequentlydemonstrate that a portion of the responses understate the entity'scybersecurity controls, the cyber-hygiene score may be revised upwardsto reflect this overperformance.

In subprocess 450, assessment server 310 may generate cybersecurityassessment 316 using the cyber-hygiene score, calculated in subprocess420, and/or the cyber-breach score, calculated in subprocess 440.Cybersecurity assessment 316 may be represented in a dashboard ofgraphical user interface 312 and/or exported as a file. In anembodiment, cybersecurity assessment 316 comprises visualrepresentations of the cyber-hygiene score and/or cyber-breach score, aswell as the results of benchmarking analytics, to facilitate riskmitigation, action, and planning. The benchmarking analytics may comparethe cyber-hygiene score, cyber-breach score, responses in data 314,and/or the like, for the entity being assessed, to peers in the sameand/or similar industries (e.g., as percentile rankings of the entityrelative to its peers) to provide context to data 314. The comparisonsmay be expressed visually (e.g., in charts, graphs, tables, aspercentiles, etc.) to facilitate the identification of trends andpatterns. In an embodiment, the results of the benchmarking analyticsmay be shown in response to the selection of a single input (e.g., oneclick of an input device or touch panel display) within a graphical userinterface representing cybersecurity assessment 316.

Cybersecurity assessment 316 may also comprise alerts (e.g., emailmessage, text message, such as Short Message Service (SMS) or MultimediaMessaging Service (MMS) text message, telephone call, etc.) that aretriggered when a cybersecurity control is detected to be deficient basedon tests 322, a plan of action that identifies the overall cybersecuritypractices and processes that are deficient or require corrective action,and/or a system security plan that identifies the status and details ofall cybersecurity controls that must be fully implemented andoperational to mitigate cyber-risk and comply with a given standard(e.g., CMMC). Cybersecurity assessment 316 may also comprise otheranalytics, performed by assessment server 310, to facilitate riskmitigation and planning. These other analytics may utilize artificialintelligence (AI), such as machine-learning models (e.g., supervisedlearning for regression and classification, unsupervised learning forcluster models, etc.), to calculate the probability of a data breachbased on one or more features, such as test results 324 over a period oftime, type(s) of cybersecurity controls that failed and/or weightings offailed cybersecurity control(s), recurrence of failures in cybersecuritycontrols, time taken to rectify deficiencies in cybersecurity controls,benchmarking results, and/or the like. The results of the analytics(e.g., the calculated probability of a data breach) may be incorporatedinto cybersecurity assessment 316 to supplement the cyber-breach score.

In an embodiment, subprocesses 410 and/or 430 may be performedperiodically or over a time period. For example, as an entity updates orotherwise changes its cybersecurity controls, user(s), representing theentity, may also update data 410 to reflect those changes. In this case,subprocess 420 may be implemented periodically to update thecyber-hygiene score based on the updated data 410. In addition, in anembodiment in which tests 322 are performed periodically or over a timeperiod in multiple iterations of subprocess 430, subprocess 440 may beexecuted periodically to update the cyber-breach score and/or thecyber-hygiene score based on test results 324. Assessment server 310 mayautomatically update cybersecurity assessment 316 based on updates todata 314 and/or test results 324, and the resulting updates to thecyber-hygiene and/or cyber-breach scores.

As described above, in an embodiment, platform 110 provides an onlineportal, comprising a graphical user interface 312 through which anentity inputs data 314 to obtain a cybersecurity assessment 316,including a cyber-hygiene score, cyber-breach score, benchmarking topeers, validation of implemented practices and processes via automatedtesting, probability of a data breach, and/or the like. An entity mayutilize cybersecurity assessment 316 to implement risk mitigation andcomply with cybersecurity standards and mandates (e.g., CMMC).Cybersecurity assessment 316, as visually represented in graphical userinterface 312, may enable the user to drill down into the benchmarkinganalytics, for example, to view comparisons of specific cyber-risks andimplemented controls for the entity to those same cyber-risks andimplemented controls for peers of the entity (e.g., as a percentileranking with respect to peers), to indicate how the entity'scybersecurity compares to its peers (e.g., similar entities in the sameor similar industries). In an embodiment, graphical user interface 312may enable the user to drill down to a specific question or declarativestatement from the questionnaire(s) and view a benchmark comparison(e.g., percentile) between the entity's response and the responses frompeers. Thus, the entity may compare itself to its peers at a granularper-risk or per-control level of detail, which may aid the entity indetermining what security domains or other cybersecurity features toprioritize for risk mitigation. In addition, graphical user interface312 may enable the user to drill down to the root causes or contributingfactors for the cyber-hygiene score, cyber-breach score, benchmarking topeers, probability of a data breach, and/or the like. These factors maycomprise detected deficiencies or failures in cybersecurity controls(e.g., in data 314 and/or test results 324), other details from data 314and/or test results 324, a history of performance of cybersecuritycontrols, benchmarking comparisons, and/or the like. This insight,especially in combination with inside-out and outside-in controlstesting, can provide timely intelligence on the efficacy ofcybersecurity controls and any security holes or other vulnerabilities,to facilitate the timely rectification of those vulnerabilities before athreat actor can exploit them. Thus, cyber-risk can be mitigated anddata theft or ransomware attacks can be prevented.

It should be understood that in any case where the present descriptionmentions drilling down into some detail, this may be implemented ingraphical user interface 312 as a hierarchical arrangement of expandableand collapsible graphical elements that provide access to the details.For example, an expandable graphical element may comprise a “+” (plus)or similar icon that, when selected, expands a frame to show descendantdetails under an ancestral detail, and switches to a collapsiblegraphical element. The collapsible graphical element may comprise a “−”(minus) or similar icon that, when selected, collapses the expandedframe to hide the descendant details under the ancestral detail, andswitches to the expandable graphical element.

In addition, a user representing the entity may utilize graphical userinterface 312 of the online portal to authorize the sharing ofcybersecurity assessment 316 with a third party, such as a third-partyauditor for certification that the entity complies with a given standard(e.g., NIST, CMMC, etc.) and/or an insurance provider for theacquisition of affordable cyber-insurance that appropriately transferscyber-risk from the entity to the insurance provider. If the userauthorizes sharing of cybersecurity assessment 316 with a third party,cybersecurity assessment 316 may be sent to the third-party via anytransmission method (e.g., email message, regular mail or shipping,etc.) or to third-party system 150 via an API provided by third-partysystem 150. Alternatively, the third-party could retrieve cybersecurityassessment 316 from platform 110 via an API provided by platform 110.

It should be understood that the version of cybersecurity assessment 316that is provided to a third party may differ from the version ofcybersecurity assessment 316 that is available to the entity itselfand/or to other third parties. For example, the version of cybersecurityassessment 316 that is provided to the third party may be a smallersubset of the version of cybersecurity assessment 16 that is availableto the entity itself, and may consist of only the information needed tocomplete the third party's role (e.g., audit, certification, or offer orissuance of an insurance policy). In the case of a third-party auditor,the version of cybersecurity assessment 316 provided to the third-partyauditor may comprise any data 314 (e.g., responses, declarativestatements, supporting documents, etc.) or tests results 324, includingpotentially the cyber-hygiene and/or cyber-breach scores, necessary tofacilitate the audit. In the case of a third-party insurance provider,the version of cybersecurity assessment 316 provided to the third-partyinsurance provider may comprise any data 314 (e.g., responses,declarative statements, supporting documents, etc.) or test results 324,including potentially the cyber-hygiene and/or cyber-breach scoresand/or benchmarking results, necessary or useful to underwrite theentity's cyber-risk and price the entity's premiums for cyber-insurance.In effect, cybersecurity assessment 316 can be used as an underwritingtool for the affordable offloading of cyber-risk to an insuranceprovider.

3. Automated Inside-Out Controls Testing

In an embodiment, testing server 320 may perform an automated inside-outcontrols test from within a network of entity system 140, to test, forexample, the penetrability of entity system 140. FIG. 5 illustrates anexample data flow for automated penetration testing, according to anembodiment. As illustrated, testing server 320 may comprise a setupmodule 510, a configuration module 520, a scan trigger module 530, and areporting module 540. Testing server 320 may be implemented in a virtualprivate cloud (VPC) (e.g., in the Amazon™ AWS cloud environment).Similarly, the entity systems 140 being tested may be implemented inseparate and distinct virtual private clouds (e.g., in the same Amazon™AWS cloud environment or in a different cloud environment). However,testing server 320 and entity systems 140 do not necessarily need to beimplemented in cloud environments.

During an onboarding process, setup module 510 may instantiate a virtualmachine 512 for each entity to be tested (e.g., represented by virtualmachines 512A to 512N). Configuration module 520 may configure eachvirtual machine 512 according to one or more parameters.

Each entity may install an agent 142 on a node within the network of itsrespective entity system 140 (e.g., represented by agents 142A to 142N).For example, the entity may identify a specific machine on which toinstall agent 142. A user representing the entity may download andinstall agent 142 to that machine. In an embodiment, the entity may alsoprovide inbound HTTPS (e.g., port 443) access to and outbound HTTPSaccess from the machine on which agent 142 is installed (e.g., through afirewall of entity system 140). Agent 142 may be provided as cloud-basedsoftware as a service (SaaS).

Scan trigger module 530 may trigger an agent 142 in an entity system 140based upon a triggering event. The triggering event may be specified,via graphical user interface 312, by a user representing the entity. Thetriggering event may be a manual triggering by the user (e.g., byselecting one or more inputs in graphical user interface 312), theexpiration of a time interval (e.g., specified by the user for periodictesting), the current time reaching a particular date and time (e.g.,specified by the user for future testing), or any other type of trigger.Upon the occurrence of a triggering event for a given agent 142, scantrigger module 530 may trigger that agent 142 via a call (e.g., a secureAPI call, through the firewall of entity system 140) to the agentinstalled within the respective entity system 140. It should beunderstood that different agents 142 for different entities may havedifferent triggering events, such that they may be triggeredindependently from each other.

When triggered, agent 142 may scan the network of entity system 140,including all relevant nodes on the network, to identify vulnerabilitieswithin the network, including, for example, non-compliance withparticular cybersecurity controls. These tests may comprise detectingthe use of weak passwords, missing multi-factor authentication controls,missing utilization of encryption of data at rest and in transit, openinsecure ports, and/or a variety of other vulnerabilities.

The results of the scan may be collected in a database accessible toagent 142, and then uploaded to the virtual machine 512 that isassociated with the entity whose network is being scanned (e.g., agent142A may upload the scan results to virtual machine 512A). The testresults 324 from the scan may be uploaded by agents 142 to theirrespective virtual machines 512 via a secure API call to platform 110.Virtual machines 512 may provide test results 324 from the scansperformed by their respective agents 142 to reporting module 540, whichmay store test results 324 in database 114 for access by assessmentserver 310 when assessment server 310 generates cybersecurity assessment316. In an embodiment, detailed test results 324 may be incorporatedinto cybersecurity assessment 316.

In an embodiment, an overall cyber-penetration score may be calculatedfor a given penetration test and/or for a combination of penetrationtests (e.g., as an average). For example, the cyber-penetration may be avalue, in a range of zero to one hundred, that increases as the numberof passed tests increases (i.e., successful penetrations decrease) anddecreases as the number of passed tests decreases (i.e., successfulpenetrations increase). As one example, the cyber-penetration score maybe calculated by starting with the maximum score and subtracting adeduction amount associated with each failed penetration test. It shouldbe understood that different penetration tests may be weighted withdifferent deduction amounts (e.g., deduction amounts within a range ofone to five), with higher deduction amounts representing a more criticalfailure than lower deduction amounts. The maximum score and/or thededuction amounts may vary depending on the particular standard (e.g.,NIST 800-171, CMMC L1, CMMC L2, CMMC L3, CMMC L4, CMMC L5, etc.) withwhich the entity is attempting to comply (e.g., selected as the type ofcybersecurity assessment). Once all deduction amounts have beensubtracted from the maximum score, the resulting score may be convertedto a percentage (i.e., resulting score divided by maximum score, andmultiplied by one hundred) to produce the cyber-penetration score in arange of zero to one hundred, so that the cyber-penetration score can bemore easily combined with other test scores.

4. Automated Security Scan

In an embodiment, testing server 320 may perform an automated outside-incontrols test or security scan against Internet-facing IT assets ofentity system 140. FIG. 6 illustrates an example flowchart for anautomated scanning process 600, according to an embodiment. Process 600may be implemented by platform 110, including assessment server 310and/or testing server 320, to establish an automated scanning campaign.For example, subprocesses 610-650 may be performed by assessment server310, and subprocesses 660-680 may be performed by testing server 320.However, other arrangements and configurations for implementing process600 are also possible.

In an embodiment in which multiple types of security scans areavailable, a selection of the type of scan to be performed is receivedin subprocess 610. In particular, the user, representing an entity, mayspecify the type of scan via graphical user interface 312. For example,testing server 320 may provide both an active scan and a passive scan.In a passive scan, test 322 scans Internet-facing IT assets forunpatched vulnerabilities, open ports, missing Transport Layer Security(TLS), and/or the like, without attempting to penetrate those assets(e.g., via brute force selection and entry of passwords or other hackingtechniques). In contrast, in an active scan, test 322 may scanInternet-facing IT assets for unpatched vulnerabilities, open ports,missing TLS, and/or the like, and also attempt to penetrate those assets(e.g., via brute force or other hacking techniques). Active scans may belimited to certain entities (e.g., for an additional fee) or ethicalhackers who are permitted by an entity to perform active scans againstthe entity's assets.

If a user attempts to select a type of scan that is not permitted (e.g.,an active scan) for the entity's account (i.e., “No” in subprocess 620),the user may be notified that the type of scan is not permitted and/orprompted to contact support for more information in subprocess 630.Otherwise, if the user selects a type of scan that is permitted (e.g., apassive scan) for the entity's account (i.e., “Yes” in subprocess 620),process 600 proceeds to subprocess 640. In an alternative embodiment,the user may not be provided the option in graphical user interface 312to select any type of scan which is not permitted for the entity'saccount. In this case, subprocesses 620 and 630 may be omitted, sincethe user will only be able to select permissible scan types insubprocess 610.

Once a user has selected a permissible scan type in subprocess 610, theselection of parameters or other options for the selected scan,including the timing, of the scan may be received in subprocess 640. Inparticular, the user, representing an entity, may specify any availableoptions, or alternatively, accept default values for the availableoptions. The timing may be immediate, a future date and time, timeinterval or frequency for periodic testing, and/or the like.

In subprocess 650, one or more uniform resource locators (URLs) may bereceived. In particular, the user, representing an entity, may specify aset of URL(s) by selecting a group of previously specified URL(s),uploading a list of URL(s) (e.g., as a file), and/or manually inputtingURL(s). In the event that a user uploads a list of URL(s) or manuallyinputs URL(s), graphical user interface 312 may provide the user with anoption to save those uploaded or inputted URL(s) as a group for futureselection (e.g., for future tests or other services provided by platform110). It should be understood that the URL(s) received in subprocess 650represent URL(s) for resources of entity system 140.

In subprocess 660, process 600 waits for the timing specified in theoptions in subprocess 640. It should be understood that if no timing wasspecified or the timing was specified as immediate, subprocess 660 maybe skipped, such that process 600 proceeds directly from subprocess 650to 670. Otherwise, if the timing is specified as a future date and timeor as a time interval or frequency, subprocess 660 waits until thespecified future date and time, expiration of the specified timeinterval, or according to the specified frequency. In particular, if itis not time for the scan (i.e., “No” in subprocess 660), process 600continues to wait. On the other hand, if it is time for the scan (i.e.,“Yes” in subprocess 660), process 600 proceeds to subprocess 670.

In subprocess 670, the scan is performed on the one or more URLsreceived in subprocess 650. In particular, testing server 320 may scanthe URL(s) according to one or more tests 322 to detect, for example,unpatched vulnerabilities, open ports, missing TLS, and/or the like. Inan active scan, testing server 320 may also try to exploit detectedvulnerabilities, using brute force or other known hacking techniques. Insubprocess 680, the results of the scan may be stored (e.g., in database114) for reporting (e.g., in cybersecurity assessment 316).

As each scanning campaign is being performed on the URL(s), the resultsof the scanning campaign may be displayed, in real time and/or aftercompletion of the scanning campaign, in the dashboard of graphical userinterface 312. For example, the dashboard may display performancemetrics, URLs scanned, progress (e.g., how many URLs remain to bescanned, the percentage of total URLs remaining to be scanned, etc.), alist of any vulnerabilities detected and their respective severities, alist of any failed scans, any test scores that have been calculated,and/or the like. The dashboard or other screen of graphical userinterface 312 may also comprise an input for pausing or terminating thescanning campaign before completion. Graphical user interface 312 mayalso comprise an input for suppressing a scanning campaign fromreporting, for example, if the scanning campaign is only being performedfor testing functionality of entity system 140 and should not beprovided to a third party.

In an embodiment, an overall cyber-scan score may be calculated for agiven scanning campaign and/or for a combination of scanning campaigns(e.g., as an average). For example, the cyber-scan score may be a value,in a range from zero to one hundred, that increases as the number ofpassed tests increases (i.e., detected vulnerabilities decreases) anddecreases as the number of passed tests decreases (i.e., detectedvulnerabilities increases). As on example, the cyber-scan score may be apercentage of tests that were passed during the scanning campaign. Thus,for instance if an entity system 140 failed 20% of the tests in a givenscanning campaign, the cyber-scan score would be 80.

5. Automated Phishing Simulation

In an embodiment, testing server 320 may execute an automated phishingsimulation against entity system 140. FIG. 7 illustrates an exampleflowchart for an automated phishing process 700, according to anembodiment. Process 700 may be implemented by platform 110, includingassessment server 310 and/or testing server 320, to establish anautomated phishing campaign. For example, subprocesses 710-750 may beperformed by assessment server 310, and subprocesses 760-780 may beperformed by testing server 320. However, other arrangements andconfigurations for implementing process 700 are also possible.

In subprocess 710, an email template may be specified. In particular,the user, representing an entity, may select a predefined or previouslygenerated email template, upload an email template, and/or create a newemail template. In an embodiment, graphical user interface 312 maycomprise a Rich Text Format (RTF) editor and/or HTML editor with supportfor Cascading Style Sheets (CS S), through which the user can create anew email template and/or edit an existing email template.Alternatively, graphical user interface 312 may comprise input(s) forspecifying the value of one or a plurality of parameters, which are thenused to automatically generate an email template. In all cases, theemail template may comprise placeholder(s) for one or a plurality ofvariable field values. Thus, values may be automatically merged into theplaceholder(s) of the email template to create email messages. In anembodiment, a list of predefined email templates, from which a user mayselect the email template, may be generated from email messages thathave been used and observed in actual phishing scams. It should beunderstood that the specified email template is used to generate theemail messages to be used for a phishing campaign.

In subprocess 720, a landing page may be specified. In particular, theuser, representing an entity, may select a predefined or previouslygenerated landing page, upload a landing page, clone an existing landingpage, and/or create a new landing page. In an embodiment, graphical userinterface 312 may comprise a Rich Text Format (RTF) editor and/or HTMLeditor with support for Cascading Style Sheets (CSS) and/or JavaScript,through which the user can create a new landing page and/or edit anexisting landing page. Alternatively, graphical user interface 312 maycomprise input(s) for specifying the value of one or a plurality ofparameters, which are then used to automatically generate a landingpage. Additionally or alternatively, graphical user interface 312 maycomprise an input for specifying a URL, and the software mayresponsively and automatically copy the webpage at the URL and store thecopied webpage in database 114 for use as a landing page. Graphical userinterface 312 may also comprise an HTML editor that enables the user tomodify the copied webpage as desired. In all cases, the landing page maybe hosted by platform 110 or another platform that provides informationto testing server 320 about visits to the landing page. It should beunderstood that a hyperlink to the specified landing page may beincorporated into the email template (e.g., inserted into a placeholderin the email template) to test a recipient's ability and/or proclivityto select the hyperlink and interact with the landing page.

In subprocess 730, a domain may be specified. In particular, the user,representing an entity, may select a domain from a list of predefined orpreviously specified domains and/or input a new domain into an input ofgraphical user interface 312. In an additional or alternativeembodiment, the user may also select a username from a list ofpredefined or previously specified usernames and/or input a new usernameinto an input of graphical user interface 312. It should be understoodthat the specified domain will be incorporated into the sender emailaddress for the email messages sent during the phishing campaign. In thecase that a username is specified, the specified username will also beincorporated into the sender email address for the email messages sentduring the phishing campaign. In other words, the sender email addressmay be generated as “[specified username]@[specified domain]” if theusername and domain are specified, “[default username]@[specifieddomain]” if only the domain is specified, “[specified username]@[defaultdomain]” if only the username is specified, or “[defaultusername]@[default domain]” if neither the username nor the domain isspecified.

In subprocess 740, one or more email addresses are specified. Inparticular, the user, representing an entity, may select one or moreemail addresses or group of email addresses from a list of previouslyspecified email addresses, upload a list of one or more email addresses,and/or manually input one or more email addresses into one or moreinputs of graphical user interface 312. When a list of email addressesis uploaded, that list of email addresses may be stored as a group forselection in future phishing campaigns. In an embodiment, the softwaremay verify that all specified email addresses are within a domain uponwhich the user is authorized to simulate phishing (e.g., an appropriatesend-to domain of entity system 140). If any of the email addresses arenot within an authorized domain, they may be automatically excluded, andthe user may be notified of their exclusion.

In subprocess 750, one or more options may be selected. In particular,the user, representing an entity, may specify any available options, oralternatively, accept default values for the available options. Theoptions may comprise a timing for conducting the phishing simulation.The timing may be immediate, a future date and time, time interval orfrequency for periodic testing, and/or the like.

In subprocess 760, process 700 waits for the timing specified in theoptions in subprocess 750. It should be understood that if no timing wasspecified or the timing was specified as immediate, subprocess 760 maybe skipped, such that process 700 proceeds directly from subprocess 750to 770. Otherwise, if the timing is specified as a future date and timeor as a time interval or frequency, subprocess 760 waits until thespecified future date and time, expiration of the specified timeinterval, or according to the specified frequency. In particular, if itis not time for the scan (i.e., “No” in subprocess 760), process 700continues to wait. On the other hand, if it is time for the scan (i.e.,“Yes” in subprocess 760), process 700 proceeds to subprocess 770.

In subprocess 770, phishing email messages may be generated and sent(e.g., via a Simple Mail Transfer Protocol (SMTP) server of platform110). Phishing email messages may be generated by incorporating ahyperlink to the landing page, specified in subprocess 720, and anyother placeholder values into the email template, specified insubprocess 710. These phishing emails may then be sent from the domain,specified in subprocess 730, to each of the email address(es), specifiedin subprocess 740, according to any options specified in subprocess 750.It should be understood that testing server 320 may track the opening orviewing of these phishing email messages using known mechanisms (e.g.,tracking pixel). Additionally or alternatively, testing server 320 maytrack each time that a recipient of a phishing email message selects thehyperlink to the landing page in the phishing email message. Inparticular, the landing page may be under control and management oftesting server 320, such that it can track each visit to the landingpage and/or any interactions with the landing page, such as selecting ahyperlink on the landing page, inputting information into one or moreinputs on the landing page, downloading a file from the landing page,and/or the like. The hyperlink to the landing page in the phishing emailmessages may be individualized for each recipient of a phishing emailmessage (e.g., by appending a parameter value that is unique to eachphishing email message), so that testing server 320 can identify theparticular visitor to the landing page (e.g., by mapping the uniqueparameter value in the hyperlink in a particular phishing email messageto the recipient email address specified for that phishing emailmessage). Thus, test results 324 from the phishing campaign can be usedto determine which employee(s) were successfully exploited by thephishing simulation. The severity of the simulated breach can bedetermined based on those employees' roles within the entity. Forexample, successful phishing of employees having greater access tosensitive information may represent a more severe breach than successfulphishing of employees have less access or no access to sensitiveinformation.

As each phishing campaign is being performed, the results of thephishing campaign may be displayed, in real time and/or after completionof the phishing campaign, in the dashboard of graphical user interface312. For example, the dashboard may display performance metrics, emailaddresses from which the phishing email message was bounced and/or otherfailures or errors, any test scores that have been calculated (e.g.,based on the number of interactions with the landing page), the severityof interactions with the landing page (e.g., the degree to which anemployee interacted with the landing page, the position or role of theemployee who interacted with the landing page, etc.), and/or the like.The dashboard or other screen of graphical user interface 312 may alsocomprise an input for pausing or terminating the phishing campaignbefore completion. Graphical user interface 312 may also comprise aninput for suppressing a phishing campaign from reporting, for example,if the phishing campaign is only being performed for testingfunctionality of entity system 140 (e.g., a spam or phishing filter) andshould not be provided to a third party.

In an embodiment, an overall cyber-phishing score may be calculated fora given phishing campaign and/or for a combination of phishing campaigns(e.g., as an average). For example, the cyber-phishing score may be avalue, in a range from zero to one hundred, that increases as the numberand/or severity of interactions with the landing page decreases anddecreases as the number and/or severity of interactions with the landingpage increases. As one example, the cyber-phishing score may be apercentage of recipients who did not visit the landing page. Thus, forinstance, if 20% of the unique recipients of the phishing email messagein a given phishing campaign visited the landing page, thecyber-phishing score would be 80.

6. Example Use Cases

In an example use case, a supervisory user, representing an entity, maystart a new assessment via a dashboard or other screen of graphical userinterface 312. In an embodiment in which different types ofcybersecurity assessments are available, the supervisory user may selectthe desired type of cybersecurity assessment via graphical userinterface 312. In an embodiment in which only a single type ofcybersecurity assessment is available, the supervisory user may simplyselect one or more inputs (e.g., in the dashboard of graphical userinterface 312) to initiate a new cybersecurity assessment. In anembodiment, an entity may perform a plurality of distinct cybersecurityassessments, of the same or different types, to produce distinctcybersecurity assessments 316 at the completion of each cybersecurityassessment.

Once a new cybersecurity assessment is initiated, the supervisory usermay be provided with a questionnaire. The questionnaire may comprisequestions to be answered, requests for declarative statements, requestsfor supporting documents, and/or the like that are associated with asingle security domain or a plurality of security domains. Thesupervisory user may utilize graphical user interface 312 to assigndifferent portions of the questionnaire or to assign different securitydomains, represented by portions of the questionnaire, to differentusers.

Once a user has been assigned to a portion of the questionnaire, theuser may receive a notification (e.g., email message with hyperlink tothe assigned portion of the questionnaire within graphical userinterface 312, notification in the user's dashboard within graphicaluser interface 312, etc.) with a prompt to complete the assigned portionof the questionnaire. The user may utilize inputs in one or more screensof graphical user interface 312 to provide responses to the assignedportion of the questionnaire. These responses may comprise answers toquestions, declarative statements, supporting documents (e.g., uploadedvia graphical user interface 312), and/or the like. The questionnairemay be designed to elicit responses that provide detailed informationabout the entity's cybersecurity controls (e.g., practices andprocesses).

The responses from all users, to whom portions of the questionnaire(s)have been assigned, are collected by assessment server 310 as data 314and stored in database 114, for example, as an implementation ofsubprocess 410. Assessment server 310 may monitor the responses andnotify a user if that user's assigned portion of the questionnaire hasnot been completed within a defined time period or by a defined date andtime. The defined time period or date and time for responses to becompleted may be specified by the supervisory user (e.g., when assigningportions of the questionnaire to users) or may be a predefined system ordefault setting. As data 314 are collected from the assigned user, theprogress (e.g., as a percentage or ratio of responses completed to totalnumber of responses needed) may be visually represented in the dashboardof the supervisory user. Once all data 314 has been collected, acyber-hygiene score may be calculated from data 314, for example, as animplementation of subprocess 420.

In addition, testing server 320 may test entity system 140, for example,as an implementation of subprocess 430. In particular, the supervisoryuser may specify tests 322 to be performed and the options and otherinformation required for each test 322 to be performed via graphicaluser interface 312. Examples of this information are described elsewhereherein with respect to the automated penetration testing (e.g., FIG. 5),automated security scan (e.g., FIG. 6), and automated phishingsimulation (e.g., FIG. 7). Testing server 320 may then perform tests 322against entity system 140, according to the specified information. Itshould be understood that this testing (e.g., subprocess 430) may beperformed independently of the collection of data 314 (e.g., subprocess410), such that the testing may be performed before, in parallel with,or after the collection of data 314. However, one or more of tests 322may be selected and/or configured according to at least a portion ofdata 314 (e.g., responses to the questionnaire), in which case, suchtests 322 should be performed after the collection of the requiredportion of data 314.

The test results 324 from tests 322 may be collected by testing server320 and stored in database 114. As each test 322 is completed, a testscore may be calculated for the test. Once all tests 322 have beencompleted, the test scores for each test 322 may be combined into asingle overall cyber-breach score (e.g., as a straight or weightedaverage of the test scores), for example, as an implementation ofsubprocess 440. To facilitate this combination of test scores into thecyber-breach score, all test scores may utilize the same range of values(e.g., zero to one hundred) or may be converted to the same range ofvalues. Notably, tests 322 may comprise both an internal test (e.g.,automated penetrating testing) and an external test (e.g., automatedsecurity scan, automated phishing simulation, etc.), such that thecyber-breach score indicates an actual level of compliance with andeffectiveness of implemented cybersecurity controls, both internally andexternally, and accurately reflects the susceptibility of entity system140 to an attack (e.g., data breach, ransomware, etc.), both internallyand externally.

Once the cyber-hygiene score and cyber-breach score have beencalculated, assessment server 310 may generate the overall cybersecurityassessment 316, for example, as an implementation of subprocess 450.Cybersecurity assessment 316 may comprise the cyber-hygiene score andcyber-breach score. In addition, cybersecurity assessment 316 mayprovide details about how the cyber-hygiene score was calculated (e.g.,on a per-response basis) and/or detail about how the cyber-hygiene scorewas calculated (e.g., including the test scores that were combined intothe cyber-hygiene score and how those test scores were calculated).Cybersecurity assessment 316 may also comprise benchmarking of theentity's cyber-hygiene score and/or cyber-breach score against thecyber-hygiene scores and/or cyber-breach scores, respectively, of theentity's peers. This benchmarking may be provided at a granular level.For example, each response to a question or request in thequestionnaire, as represented in data 314, may be benchmarked againstthe peer responses to the same question or request. Where appropriate,the benchmark may comprise the percentile rank of the entity's responseamong its peers. Similarly, the entity's test results 324 for one ormore tests 322 may be benchmarked against the test results for the sametests performed against the entity's peers. Advantageously, benchmarkingprovides context to the entity's cybersecurity assessment 316, so thatthe entity can visualize its cybersecurity practices and processesrelative to its peers, which in turn, can inform the entity's cyber-riskmitigation and planning.

Cybersecurity assessment 316 may highlight critical failures (e.g.,inadequate responses to the questionnaire, responses to thequestionnaire that are significantly below benchmarks, failed tests 322,etc.) in cybersecurity controls. In an embodiment, upon detection of acritical failure in the cybersecurity controls in entity system 140,testing server 320 or assessment server 310 may immediately alert aresponsible user for the entity. The alert may be provided via emailmessage, text message, and/or other communication to the responsibleuser. In addition, details about the failure may be provided in theresponsible user's dashboard in graphical user interface 312 forimmediate risk mitigation.

Cybersecurity assessment 316 may be used to identify a current level ofan entity's cyber-hygiene, the entity's susceptibility to cyber-risk,how the entity's cybersecurity controls compare to peers in the same orsimilar industries, and/or the like, so that the entity can implementcontextual and timely risk mitigation and/or prepare a plan of action orcybersecurity plan. For example, a responsible employee of the entitymay review a visual representation of cybersecurity assessment 316(e.g., in graphical user interface 312, as an electronic or printeddocument, etc.) to identify security domains in which the entity isnon-compliant and/or lags behind its peers, identify specificvulnerabilities in entity system 140 (e.g., concerning responses to thequestionnaire, assets that have failed tests 322, etc.), and/or thelike, and take appropriate action. The responsible employee may alsoidentify security domains in which it exceeds its peers, according tothe benchmarking analytics, and shift resources from those securitydomains to security domains in which it lags behind its peers.

In addition, cybersecurity assessment 316 may be used to efficiently andeffectively complete an assessment of compliance with cybersecuritymandates, such as CMMC, or other cybersecurity standards. This canfacilitate a third-party audit and certification, as well as theacquisition of cyber-insurance for affordable transfer of cyber-risk toan insurance provider. For example, an authorized user may provideaccess to cybersecurity assessment 316 to one or more third parties,such as an auditor, certification authority, and insurance provider.Access may be provided by exporting cybersecurity assessment 316 into anelectronic document and providing it to the third party. Alternativelyor additionally, access may be provided by providing a hyperlink tocybersecurity assessment 316, within graphical user interface 312, tothe third party. In this case, the third party may be required to havean account with platform 110 and authenticate with that account, priorto viewing cybersecurity assessment 316. Alternatively or additionally,access may be provided by providing access to cybersecurity assessment316 to the third party via an API of platform 110 and/or submittingcybersecurity assessment 316 to the third party's system 150 via an APIof third-party system 150. In all cases, the entity may easily submitcybersecurity assessment 316 to a plurality of third parties. This canbe especially useful for submitting cybersecurity assessment 316 to aplurality of insurance brokers or providers to efficiently obtain aplurality of quotes for cyber-insurance. Accordingly, cybersecurityassessment 316 facilitates informed and competitive cyber-insurancepricing.

In an embodiment, cybersecurity assessment 316 comprises alerts that aretriggered when a cybersecurity control is detected to be deficient basedon tests 322 and require corrective action. Additionally oralternatively, cybersecurity assessment 316 may comprise a plan ofaction that identifies the overall cybersecurity controls (e.g.,practices and processes) that are deficient or require corrective actionand/or a system security plan that identifies the status and details ofall cybersecurity controls that must be fully implemented andoperational in order to mitigate cyber-risk and comply with a givenstandard (e.g., CMMC).

In an embodiment, cybersecurity assessment also comprises otheranalytics, performed by assessment server 310 or other system, tofacilitate risk mitigation and planning. These other analytics mayutilize artificial intelligence, such as machine-learning models, tocalculate the probability of a data breach based on one or morefeatures, such as test results 324 over a period of time, type(s) ofcybersecurity controls that failed and/or weightings of failedcybersecurity control(s), recurrence of failures in cybersecuritycontrols, time taken to rectify deficiencies in cybersecurity controls,benchmarking results, and/or the like. The results of the analytics(e.g., the calculated probability of a data breach) may be incorporatedinto cybersecurity assessment 316 to supplement the cyber-breach score.

In addition, graphical user interface 312 may enable the user to drilldown to the root causes or contributing factors for the cyber-hygienescore, cyber-breach score, benchmarking to peers, probability of a databreach, and/or the like. These factors may comprise detecteddeficiencies or failures in cybersecurity controls (e.g., in data 314and/or test results 324), other details from data 314 and/or testresults 324, a history of performance of cybersecurity controls,benchmarking comparisons, and/or the like. This insight, especially incombination with inside-out and outside-in controls testing, can providetimely intelligence on the efficacy of cybersecurity controls and anysecurity holes or other vulnerabilities, to facilitate the timelyrectification of those vulnerabilities before a threat actor can exploitthem. Thus, cyber-risk can be mitigated and data theft or ransomwareattacks can be prevented.

The above description of the disclosed embodiments is provided to enableany person skilled in the art to make or use the invention. Variousmodifications to these embodiments will be readily apparent to thoseskilled in the art, and the general principles described herein can beapplied to other embodiments without departing from the spirit or scopeof the invention. Thus, it is to be understood that the description anddrawings presented herein represent a presently preferred embodiment ofthe invention and are therefore representative of the subject matterwhich is broadly contemplated by the present invention. It is furtherunderstood that the scope of the present invention fully encompassesother embodiments that may become obvious to those skilled in the artand that the scope of the present invention is accordingly not limited.

Combinations, described herein, such as “at least one of A, B, or C,”“one or more of A, B, or C,” “at least one of A, B, and C,” “one or moreof A, B, and C,” and “A, B, C, or any combination thereof” include anycombination of A, B, and/or C, and may include multiples of A, multiplesof B, or multiples of C. Specifically, combinations such as “at leastone of A, B, or C,” “one or more of A, B, or C,” “at least one of A, B,and C,” “one or more of A, B, and C,” and “A, B, C, or any combinationthereof” may be A only, B only, C only, A and B, A and C, B and C, or Aand B and C, and any such combination may contain one or more members ofits constituents A, B, and/or C. For example, a combination of A and Bmay comprise one A and multiple B's, multiple A's and one B, or multipleA's and multiple B's.

What is claimed is:
 1. A method comprising using at least one hardwareprocessor to execute a process to: perform a plurality of automatedcybersecurity tests on an entity system, wherein the plurality ofautomated cybersecurity tests comprises an inside-out controls test, anoutside-in controls test, and a social-engineering test; for each of theplurality of automated cybersecurity tests, calculate a test score basedon results from the automated cybersecurity test; calculate acyber-breach score based on the test scores calculated for the pluralityof cybersecurity tests, wherein the cyber-breach score indicates aneffectiveness of an implementation of one or more cybersecurity controlsassociated with at least one cybersecurity standard; and generate acybersecurity assessment based on the cyber-breach score.
 2. The methodof claim 1, wherein the test scores are calculated based on a mappingbetween the results from the automated cybersecurity tests and securitydomains of the at least one cybersecurity standard.
 3. The method ofclaim 1, further comprising generating a comparison of the cyber-breachscore to a benchmark derived from peers of an entity operating theentity system, wherein the cybersecurity assessment comprises thecomparison.
 4. The method of claim 1, wherein the at least one hardwareprocessor automatically executes the process periodically to continuallyupdate the cybersecurity assessment.
 5. The method of claim 1, furthercomprising generating a graphical user interface that graphicallyrepresents the cyber-breach score and is configured for drill-down intocontributing factors for the cyber-breach score.
 6. The method of claim5, wherein the contributing factors comprise failures in cybersecuritycontrols and non-compliance with cybersecurity controls, mapped to atleast one cybersecurity standard, that were identified in the resultsfrom the automated cybersecurity tests.
 7. The method of claim 1,wherein the cyber-breach score is a value within a range from zero toone hundred.
 8. The method of claim 1, wherein the inside-out controlstest is executed by a software agent on a node within a network of theentity system.
 9. The method of claim 10, further comprising using theat least one hardware processor to, in response to a triggering event,trigger the inside-out controls test via a call to the software agent.10. The method of claim 11, further comprising using the at least onehardware processor to instantiate and configure a dedicated virtualmachine to receive results of the inside-out controls test from thesoftware agent.
 11. The method of claim 1, wherein the outside-incontrols test is performed against Internet-facing assets of the entitysystem, wherein the method further comprises using the at least onehardware processor to receive one or more Uniform Resource Locators(URLs), and wherein the outside-in controls test is performed on all ofthe received one or more URLs.
 12. The method of claim 1, wherein thesocial-engineering test comprises a phishing simulation against one ormore email addresses.
 13. The method of claim 12, further comprisingusing the at least one hardware processor to: receive a specification ofa landing page; incorporate a hyperlink to the landing page into anemail message; send the email message to each of the one or more emailaddresses; and track visits to the landing page.
 14. The method of claim13, further comprising using the at least one hardware processor to hostthe landing page.
 15. The method of claim 13, further comprising usingthe at least one hardware processor to receive a specification of adomain, wherein the email message is sent from the domain.
 16. Themethod of claim 1, further comprising determining a probability of acybersecurity breach using a machine-learning model that is trained topredict the probability of a cybersecurity breach based on one or morefeatures in the results from the one or more automated cybersecuritytests, wherein the cybersecurity assessment is further based on theprobability of a cybersecurity breach.
 17. The method of claim 1,further comprising detecting one or more failures in the implementationof the plurality of cybersecurity controls associated with the at leastone cybersecurity standard, based on the results from the one or moreautomated cybersecurity tests, wherein the cybersecurity assessmentidentifies each of the detected one or more failures.
 18. The method ofclaim 17, further comprising, in response to detecting the one or morefailures, initiating at least one alert to one or more recipients.
 19. Asystem comprising: at least one hardware processor; and one or moresoftware modules that are configured to, when executed by the at leastone hardware processor, perform a plurality of automated cybersecuritytests on an entity system, wherein the plurality of automatedcybersecurity tests comprises an inside-out controls test, an outside-incontrols test, and a social-engineering test, for each of the pluralityof automated cybersecurity tests, calculate a test score based onresults from the automated cybersecurity test, calculate a cyber-breachscore based on the test scores calculated for the plurality ofcybersecurity tests, wherein the cyber-breach score indicates aneffectiveness of an implementation of one or more cybersecurity controlsassociated with at least one cybersecurity standard, and generate acybersecurity assessment based on the cyber-breach score.
 20. Anon-transitory computer-readable medium having instructions storedtherein, wherein the instructions, when executed by a processor, causethe processor to: perform a plurality of automated cybersecurity testson an entity system, wherein the plurality of automated cybersecuritytests comprises an inside-out controls test, an outside-in controlstest, and a social-engineering test; for each of the plurality ofautomated cybersecurity tests, calculate a test score based on resultsfrom the automated cybersecurity test; calculate a cyber-breach scorebased on the test scores calculated for the plurality of cybersecuritytests, wherein the cyber-breach score indicates an effectiveness of animplementation of one or more cybersecurity controls associated with atleast one cybersecurity standard; and generate a cybersecurityassessment based on the cyber-breach score.